[ale] Firewall/VPN solutions

Michael H. Warfield mhw at WittsEnd.com
Thu Mar 29 13:41:49 EDT 2007 

On Wed, 2007-03-28 at 11:15 -0500, Bob Toxen wrote:
> Do consider StrongSwan, which used to be OpenS/WAN, for IPSec universal
> compatibility.

	Minor nit...

	Openswan and strongSwan both branched off of FreeS/WAN almost at the
same time, years ago, when they shut the FreeS/WAN project down.
Openswan 1.x originated in the Super FreeS/WAN project (FreeS/WAN with
enhancements).  I've never seen strongSwan claim to originate with
Openswan, even when they had the side-by-side feature charts on the
site.  They only claim to be a descendant of FreeS/WAN.

	Openswan appears to have much more active development and support going
on (based on the volume and diversity of the posters on the respective
mailing lists) but strongSwan 4.x supports IKE v2, which Openswan does
not, if IKE v2 matters to you (highly doubtful).  If it doesn't matter
to you, they're pretty much equivalent.  There are a few differences
regarding X.509 revocation lists but few deployments are impacted by
that.  The strongSwan site USE TO have a feature comparison between
Openswan and strongSwan but that appears to have disappeared and was
probably out of date.

	StrongSwan is in Debian and Gentoo while you find Openswan in Fedora
and Redhat and others of that family tree.  But either is available for
any Linux distro, being pretty much distro agnostic.  Both interoperate
with a number of other vendors, such as Cisco and CheckPoint as well.

	I strongly agree though...  If you want robust interoperability and
good performance and scalability, then IPSec is the way to go and either
Openswan or strongSwan are your leading candidates (there's also the
unrelated Racoon aka "IPSec tools" but that's mostly for the masocistic
among us).

	OpenVPN doesn't scale nearly as well as IPSec (no fully messed server
mode and the PtP mode requires unique UDP sockets for each client) and
can have performance problems with a large number of clients (the IPv6
Join project in Germany had to use NULL encryption in order to support
the number of clients they desired using OpenVPN without crippling their
servers).  OpenVPN and IPSec NAT-T both use ESP-in-UDP encapsulation, so
the traffic is almost identical but With IPSec, your encapsulated data
traffic isn't having to be processed by a user land process, so the
impact on the system is lower (the ESP code is built into the kernel).

> Bob Toxen
> bob at verysecurelinux.com               [Please use for email to me]
> http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
> Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

> "Microsoft: Unsafe at any clock speed!"
>    -- Bob Toxen 10/03/2002

	Mike

> On Tue, Mar 27, 2007 at 07:49:49AM -0400, Steve Tynor wrote:
> > I can second OpenVPN -- we used it on our IPCop firewall.  All of our 
> > client machines are currently Windows, so I can't speak to Linux or OS/X 
> > support,  but the Windows client is dead simple and it "just works".
> > 
> > Steve
> > 
> > On 3/27/2007 2:26 AM, Michael B. Trausch wrote:
> > > On Mon, 2007-03-26 at 08:42 -0400, Jeremy T. Bouse wrote:
> > >> I'm looking for some suggestions on a turn-key firewall/vpn solution
> > >> that provides multi-OS client support. I used to consider Sonicwall in
> > >> that category but their recent versions only support Windows with limit
> > >> Mac and absolutely zero Linux support. I'm fairly certain Cisco can
> > >> support all three but looking for all possible solutions I might have
> > >> overlooked.
> > > 
> > > I am not sure if this will help you at all, but I have been looking for 
> > > a VPN solution for something I want to do, and it seems that OpenVPN 
> > > would serve my needs quite well; it provides a full VPN setup that is 
> > > relatively easy to configure (GNOME can configure the client side 
> > > automatically), and it uses the well-known and trusted SSL mechanism for 
> > > protecting the tunnel itself.  The server uses a configuration file, and 
> > > there are several options for making it work--ranging from using PAM to 
> > > authenticate to full client-side SSL certificates that authenticate to 
> > > the VPN server.
> > > 
> > > I am only testing it so far myself, but it seems to be the only solution 
> > > that would work for what I am doing, other than perhaps an SSH VPN--but 
> > > I'm not so sure on that one.  It would likely work, but I think I would 
> > > have to code a lot more for it, and OpenVPN is available as a package, 
> > > just like the SSH server is (at least on Ubuntu).
> > > 
> > >     ??? Mike
> > > 
> > > --
> > > Michael B. Trausch 	
> > > fd0man at gmail.com <mailto:fd0man at gmail.com>
> > > Phone: (404) 592-5746 	
> > > Jabber IM: 	fd0man at gmail.com
> > > fd0man at livejournal.com
> > > 
> > > *Demand Freedom!  Use **/open/** and **/free/** protocols, standards, 
> > > and software!*
> > > 
> > > 
> > > ------------------------------------------------------------------------
> > > 
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list